Governance & records
Enterprise SSO (SAML & SCIM)
Your identity provider, your single sign-on — staff log in the way your county already does.
Connect CiVQ to the identity provider your organization already runs. SAML 2.0 single sign-on means staff log in once, through your own directory; SCIM 2.0 provisioning means accounts are created and deactivated automatically as people join and leave. It ships disabled — you turn it on when you've configured it, and nothing changes until you do.
The challenge
A larger county already runs a directory — Entra ID, Okta, Google Workspace — and expects every system to sign in through it. Without that, CiVQ is one more password to manage, one more place to remember to disable an account when someone leaves, and one more thing the security review flags. Manual account management is exactly where access goes stale.
In practice
One directory, one off-switch
The county's IT department points CiVQ at its identity provider with SAML metadata and turns SSO on. Now staff click "sign in," land on the county's familiar login, and come back authenticated — no separate CiVQ password to forget or reset. The same multi-factor and conditional-access rules the county already enforces apply here too, because the login happens in their system.
With SCIM turned on, the directory drives the accounts: when HR onboards someone, the account appears in CiVQ; when someone is offboarded in the directory, their CiVQ access is deactivated automatically, the same day, without anyone filing a ticket. The thing that always slips — disabling access when someone leaves — happens by itself, because there's one source of truth.
What it does
- 01
SAML 2.0 single sign-on
Staff authenticate through your existing identity provider — Entra ID, Okta, Google — instead of a separate CiVQ password.
- 02
SCIM 2.0 provisioning
Accounts are created and deactivated automatically as the directory adds and removes people — no manual account chores.
- 03
Your MFA and policies apply
Because the login happens in your IdP, the multi-factor and conditional-access rules you already enforce cover CiVQ too.
- 04
Ships disabled until configured
SSO and SCIM are off out of the box; nothing changes until your IT team configures and enables them deliberately.
- 05
One source of truth for access
The directory is the master record, so access doesn't drift — what's true there is true in CiVQ.
- 06
Deprovisioning that actually happens
When someone leaves the directory, their CiVQ access ends automatically — the off-switch nobody forgets to flip.
How it works
Point CiVQ at your IdP
Your IT team supplies the SAML metadata for your identity provider — Entra ID, Okta, Google Workspace.
Turn SSO on
Enable single sign-on; staff now log in through your directory with the policies you already enforce.
Turn SCIM on
Enable provisioning so the directory creates and deactivates CiVQ accounts automatically.
Let the directory drive
Onboarding and offboarding in your directory flow straight through to CiVQ access — no tickets, no drift.
English and Spanish
Bilingual by design
Enterprise SSO is an IT and security capability for the organizations that need it — a staff-facing configuration, English-first for the administrators who set it up. It doesn't touch the resident experience: the public website, portal, and every constituent-facing surface stay fully bilingual regardless of how staff happen to log in.
CiVQ AI — included in every package
CiVQ AI: keep the access map honest
Paired with access governance, CiVQ AI can reconcile what your directory says against what CiVQ grants — flagging accounts that linger after a directory removal, or duties that outlived the role that justified them. It surfaces the drift; your IT team makes the call.
Works better together
Get started
See CiVQ in your language.
Book a 30-minute walkthrough with our team in Rio Grande City. We'll tailor it to your city, county, or district.
Bilingual support included at every tier.